diff --git a/egi_notebooks_hub/egiauthenticator.py b/egi_notebooks_hub/egiauthenticator.py
index 0708040..57228e7 100644
--- a/egi_notebooks_hub/egiauthenticator.py
+++ b/egi_notebooks_hub/egiauthenticator.py
@@ -257,8 +257,8 @@ async def jwt_authenticate(self, handler, data=None):
         # check_allowed, such as admin status and group memberships
         return await self.update_auth_model(auth_model)
 
-    def get_primary_group(self, oauth_user):
-        groups = self.get_user_groups(oauth_user)
+    def get_primary_group(self, user_info):
+        groups = user_info.get("groups", [])
         # first group as the primary, priority is governed by ordering in
         # Authenticator.allowed_groups
         first_group = next((v for v in self.allowed_groups if v in groups), None)
@@ -280,7 +280,7 @@ async def authenticate(self, handler, data=None):
             self.log.warning("Missing OAuth info")
             return user_info
 
-        first_group = self.get_primary_group(oauth_user)
+        first_group = self.get_primary_group(user_info)
         self.log.info("Primary group: %s", first_group)
         if first_group:
             auth_state["primary_group"] = first_group
@@ -357,7 +357,12 @@ async def refresh_user(self, user, handler=None):
             await user.spawner.set_access_token(
                 auth_state["access_token"], refresh_info.get("id_token", None)
             )
-        return {"auth_state": auth_state}
+        auth_model = {
+            "name": user.name,
+            "admin": True if user.name in self.admin_users else None,
+            "auth_state": auth_state,
+        }
+        return await self.update_auth_model(auth_model)
 
     def get_handlers(self, app):
         handlers = super().get_handlers(app)
@@ -381,14 +386,14 @@ class EOSCNodeAuthenticator(EGICheckinAuthenticator):
                 used as the name of the Personal project group""",
     )
 
-    def get_primary_group(self, oauth_user):
+    def get_primary_group(self, user_info):
         # first group is the personal project, which is different for every user
         # if not available call super()
-        for g in self.get_user_groups(oauth_user):
+        for g in user_info.get("groups", []):
             m = re.match(self.personal_project_re, g)
             if m:
                 if m.groups():
                     return m.groups()[0]
                 else:
                     return g
-        return super().get_primary_group(oauth_user)
+        return super().get_primary_group(user_info)
diff --git a/egi_notebooks_hub/egispawner.py b/egi_notebooks_hub/egispawner.py
index ffcab96..36259e0 100644
--- a/egi_notebooks_hub/egispawner.py
+++ b/egi_notebooks_hub/egispawner.py
@@ -45,6 +45,9 @@ class EGISpawner(KubeSpawner):
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
+        # change to a method so we can filter
+        self._profile_config = self.profile_list
+        self.profile_list = self._profile_filter
         self.pvc_name = uuid.uuid4().hex
         self.token_secret_name = self._expand_user_properties(
             self.token_secret_name_template
@@ -140,18 +143,6 @@ async def auth_state_hook(self, spawner, auth_state):
         await spawner.set_access_token(
             auth_state.get("access_token", None), auth_state.get("id_token", None)
         )
-        groups = auth_state.get("groups", [])
-        if spawner.profile_list:
-            new_profile_list = []
-            for profile in spawner.profile_list:
-                profile_vos = profile.get("vo_claims", [])
-                if not profile_vos:
-                    new_profile_list.append(profile)
-                else:
-                    if any(i in groups for i in profile_vos):
-                        new_profile_list.append(profile)
-            spawner.profile_list = new_profile_list
-
         primary_group = auth_state.get("primary_group", None)
         if primary_group:
             spawner.extra_annotations["egi.eu/primary_group"] = auth_state[
@@ -181,3 +172,16 @@ async def pre_spawn_hook(self, spawner):
         self.volumes = vols
         # ensure we have a secret
         await self._update_secret({})
+
+    def _profile_filter(self, spawner):
+        profile_list = []
+        if spawner._profile_config:
+            groups = [g.name for g in spawner.user.groups]
+            for profile in spawner._profile_config:
+                profile_vos = profile.get("vo_claims", [])
+                if not profile_vos:
+                    profile_list.append(profile)
+                else:
+                    if any(i in groups for i in profile_vos):
+                        profile_list.append(profile)
+        return profile_list
diff --git a/requirements.txt b/requirements.txt
index 3b01606..2804386 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
 jupyterhub>=4.0.2
-oauthenticator>=16.1.0
+oauthenticator>=16.3.0
 jupyterhub-kubespawner>=6.1.0
 xmltodict
 fastapi